Security tokens busted in a matter of minutes

RSA has responded with a blog post describing the research as an "academic exercise" and "not a useful attack". The security firm says the attack does not impact the one-time password aspect of its tokens (the six-digit number mentioned in the story below) but only the USB smartcard aspect, which is used to store cryptographic keys. RSA also says that the attack requires knowledge of the users smartcard PIN, in which case the system has already been compromised and the attack is unnecessary..

Original story

Some security tokens designed to protect computer systems, like RSA's SecurID 800 system, are now just plain old tokens - for now. Team Prosecco, a group of cryptographers based at the French National Institute for Research in Computer Science and Control, have figured out a way to extract the secret key from such tokens in just 13 minutes, effectively rendering them useless. The attack also works against older versions of the Estonian national ID card, allowing the team to forge a digital signature in around 48 hours.

The tokens are designed to provide more security than a fixed password alone can. They regularly generate a new six-digit number based on an initial starting number provided by RSA or another security firm, and users must input this number along with their password when logging in. Many tokens are stand-alone devices, but some like the SecurID 800 can be plugged into a computer via USB so that users don't have to enter the number themselves.

It is these USB tokens that have been cracked, using a technique called a "padding oracle attack", which essentially involves slightly modifying the encrypted text thousands of times. If the system views this extra padding as a valid encryption, the attacker can learn something about the original text until eventually they know the whole thing.

This kind of attack was first proposed in 1998 but until now was thought too slow to be practical, requiring 215,000 attempts to crack 1024-bit encryption. Now Team Prosecco have worked out a way to cut that number to just 9400, which takes about 13 minutes.

The researchers will present their attack at the CRYPTO 2012 conference in Santa Barbara, California, next month, but they have already informed the affected security token manufacturers, who are in the process of fixing the flaw. It is the latest in a series of troubles for RSA, which last year had to recall its tokens after hackers breached its internal network and stole secret information related to the system.

This has nothing to do with the RSA token technology in their SecurID authenticators. The issue at hand is actually a vulnerability in the smartcard ONLY component of a SID 800 token which is a combination smartcard RSA token. The RSA token and it's secret are not affected. It is also incorrect to state the key was extracted, the actual attack exploits a weakness to access decrypted text, the actual secret doesn't really compromise the smartcard secret key. In addition, this is a general issue with potentially most USB smartcard vendors RSA being only of the many referenced in the article.

Rodney
on June 26, 2012 7:21 PM

So, these guys are saying, if I know a demo coder who has an obscure desktop achitecture whch contains a military chip with programmable cryptographic hardware acceleration capable of handling its 10 Gigabit ethernet connection, he could in theory crack a 1024 bit message, in a couple of seconds?

Wonder how faster he could crack code by hacking in the RAID 5 XOR hardware and the dual HD7990 GPUs?

I hope ExecNG will fit in a GPGPU stream processor memory, will be intresting running 7000 copies at the same time.

Brian
on June 26, 2012 11:20 PM

The research has nothing to do with authentication (which is what that six digit number is). This particular product can be used for encryption also. But since the attacker generally needs both the device and the PIN to conduct the attack, the attack described in the research would not even be needed. If the attacker has your device and your PIN for encryption, you have bigger problems anyway.